Chapter 1 

Coalgebras as Types determined by their 
Elimination Rules 



Anton Setzer 



Abstract We develop rules for coalgebras in type theory, and give meaning ex- 
planations for them. We show that elements of coalgebras are determined by their 
elimination rules, whereas the introduction rules can be considered as derived. This 
is in contrast with algebraic data types, for which the opposite is true: elements are 
determined by their introduction rules, and the elimination rules can be considered 
as derived. In this sense, the function type from the logical framework is more like 
a coalgebraic data type, the elements of which are determined by the elimination 
rule. We illustrate why the simplest form of guarded recursion is nothing but the 
introduction rule originating from the formulation of coalgebras in category theory. 
We discuss restrictions needed in order to preserve decidability of equality. 

Dedicated to Per Martin-Ldf on the occasion of his retirement. 



1.1 Introduction 

Most programs in computing are interactive programs. This means that they are 
not batch programs, which, once started, are guaranteed to terminate after a certain 
amount of time and deliver their result. They are programs which keep running and 
interacting with user input, until they are terminated by the user. Such programs 
correspond to non-well-founded trees: Nodes are labelled by commands and the 
branching degree of a node labelled by a command is the set of responses to this 
command. A computation which goes on for ever corresponds to an infinite path in 
this tree. More details of this can be found in a series of articles by the author and 
Peter Hancock [22, 23, 24, 25, 26]. Colists are simple trees with branching degrees 
0 or 1, and for ease of presentation, we restrict ourselves in this article to colists. 
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Martin-L6f type theory is supposed to be a language in which programs can be 
written and in which we can prove correctness properties of such programs. In order 
to be able to write interactive programs and reason about them, we need to represent 
non-well-founded structures. Coalgebras originating from category theory provide 
a theory of non- well-founded structures. They allow to represent the elements of 
such structures in a finitary way. Elements are not per se infinitary - in fact we will 
represent them in type theory as finitary objects. As part of a coalgebra we have a 
case distinction operation. In case of colists, the result of applying it to a colist is 
the information whether the element represents the empty list or a list formed from 
a given head and a given tail. By iteratively applying case distinction, a colist then 
unfolds to a potentially infinite list. 

The goal of this article is to introduce a notion of coalgebras into type theory 
and provide meaning explanations for them. We want coalgebras to be first class 
citizens, i.e. they are not encoded in terms of other data types. This seems to be the 
general way of moving forward in type theory. In most other mathematical theories 
the goal is to define a minimal closed theory, which allows to encode all structures 
needed in mathematics. In type theory it is usual practice to continuously extend the 
theory in such a way that new structures needed are represented directly. 

In this article we develop the theory of coalgebras in type theory, while closely 
following the categorical notions. One main focus is to develop meaning explana- 
tions for coalgebras, in order to fully integrate them into the theoretical setting of 
type theory. Whereas coalgebras only extend the expressiveness, not the proof theo- 
retic strength, of type theory, we hope that this project will help to develop the basis 
for future proof theoretic strong extensions of type theory. 

We start by exploring the notion of inductive data types, which correspond to 
initial algebras. We will as well review meaning explanations for them. Then we 
develop the notion of a final coalgebra. We will see that a simple form of guarded 
recursion is nothing but the introduction rule of final coalgebras, which represent 
the existence of morphisms in the defining diagrams for coalgebras. We will de- 
velop a slight extension of guarded recursion as well. We then explore limitations of 
coalgebras needed in order to maintain decidable equality. For this reason we will 
switch to weakly final coalgebras with an extended version of guarded recursion. 
We will see that in a decidable type theory we cannot assume that every element is 
introduced by a coconstructor. This is the underlying reason for the failure of sub- 
ject reduction in implementations of type theory and problems with dependent case 
distinction. Next, we develop type theoretic rules for coalgebras based on extended 
guarded recursion. 

In the last part, we will develop meaning explanations for coalgebras. We will 
need to change the setting of meaning explanations in order to be able to explain 
coalgebras. As in the original meaning explanations by Martin-L6f, inductive data 
types are given given by explaining how to introduce its elements and when two 
elements introduced are equal. So the elements are determined by their introduction 
rules. The elimination rules are justified by verifying that they operate correctly for 
every element introduced. Meaning explanations of coalgebras are given differently. 
Elements of coalgebras are given by defining how to compute other elements from 



1 Coalgebras as Types determined by their Elimination Rules 



3 



them. Elements are equal if the computed results are equal. Therefore elements are 
given by their elimination rules. The introduction rules are justified by verifying that 
they introduce elements which allow to apply the elimination principle. 
Related Work. The use of coalgebras in non-dependent functional programming 
was to the author's knowledge first introduced 1987 in the PhD thesis of Hagino [20] 
(see as well [21]). He used the terminology codatatype for coalgebras defined by 
their elimination rules. Aczel introduced 1988 in his book [1] non-well-founded set 
theory. Non-well-founded sets are necessarily infinite objects, which can be intro- 
duced by the anti-foundation axiom, a form of guarded recursion. Based on Hagino's 
work, Cockett, Fukushima and Spencer developed 1992 the non-dependent func- 
tional programming language Charity with a very clean categorical syntax. Leclerc 
and Paulin-Mohring in [32] 1994 used the impredicative types in Coq in order to 
represent streams and define the sieve of Eratosthenes. Coquand 1994 introduced in 
[10] the concept of guarded recursion. Gimenez [19, 18] developed 1994 an exten- 
sion of the calculus of constructions by inductive and coinductive types. He showed 
how to reduce general forms of guarded recursion to coalgebras. Already in his PhD 
thesis [18], he discovered problems with subject reduction, which will discussed 
later in this paper. Paulson implemented 1994 axioms for coinduction in Isabelle 
[43]. Telford and Turner [47, 49, 48] starting 1995 promoted the use of codata as 
truly infinite data types introduced by their introduction rules, and implemented 
them in the functional programming language Miranda. The author has together 
with Hancock since 1999 developed in [22, 23, 24, 25, 26] interactive programs in 
dependent type theory. This included in [25, 26] a definition of the rules for guarded 
recursion and weakly final coalgebras in Martin-L6f Type Theory (2004). Coalge- 
bras have been introduced in the interactive theorem prover Coq. The "Coq-book" 
[6] by Bertot and Casteran contains an extensive chapter 14 on the development 
of coinductive data types and proofs of their properties. See as well the note [5] 
by Bertot. Coinductive data types have as well been implemented in Agda [41] by 
Norell, Danielsson, Abel and other members of the Agda development team - see 
intense discussions on the Agda email list [2]. The latest version, which is currently 
implemented in Agda using a notion for coalgebraic arguments, was presented in 
[4]. McBride has written a short paper [38] on the problem of subject reduction in 
coalgebras, and how to develop coalgebras in observational type theory. We will 
discuss this paper later in detail. 

General setting and notations. This paper is heavily based on Martin-L6f Type 
Theory [34], mainly on the version presented in the second part of [40], with the 
restriction to the small logical framework outlined below. As usual we have the 
basic judgements A : Set, A = B : Set, a : A and a = b :A. Hypothetical judgements 
will be written as F =>• 9, where 9 is a basic judgement and F a context. Contexts 
r have the form x:A\,... ,x n : A„, where x\ :A\,... ,Xi-i : A;_i A, : Set. If 0 is 
the empty context, we write instead of 0 => 9 simply 9 . 

We will develop type theory based on the small logical framework, see for in- 
stance [44]. If A : Set and x : A => B : Set, we can form the dependent function set 
(x : A) — > B : Set. (This type is often written as Tlx : A.B. However, in Martin-L6f 
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Type Theory Fix : A.B is reserved for the inductive data type having constructor 
X : {{x:A)^B)^nx:A.B). 

The canonical elements of (x : A) — ^ Z? are terms (x)t where x : A t : B, which is 
sometimes written as Xx.t . Following the conventions in Martin-L6f Type Theory, 
we reserve X for the constructor of Tlx : A.B. Application is written in functional 
style in the form (s t). We use usual abbreviations such as writing (r s t) for ((r s) t) 
(the outermost brackets are only for better readability). Furthermore (x : A,y : B,z : 
C)^D denotes (x : A) -> {{y : B) -> ((z : C) -> D)). 

Note that large types such as (x : A) — > Set are only allowed in the full logical 
framework. The reason for restricting ourselves to the small logical framework is 
that we have a satisfactory understanding of how to develop meaning explanations 
for it. One central part of this article is the discussion of meaning explanation for 
coinductive types. 

Because of the restriction to the small logical framework, arguments referring to 
elements of type Set are presented as premises in rules. For practical applications, 
the use of the full logical framework, as it is implemented for instance in Agda, is 
preferred. Then these arguments can easily be abstracted. 

Apart from the standard structural rules and the rules for the dependent function 
sets, we add rules for the intensional equality type a ==a b (where A : Set, a : A 
and b : A), the one element set 1 with only element * : 1, the binary product (A x B) 
(where A, B : Set), the disjoint union (A+B) (again A, B : Set), and the set of natural 
numbers N. The use of N is not crucial for the development of type theory in this 
article, we just use it as a convenient example set. 

We will use expressions such as C(x), step cons («, I) for terms depending on free 
variables x or n,l. After using C(x), the expression C(f) is the result of substitut- 
ing the term t for x (where we identify a-equivalent terms and resolve substitution 
problems as usual). After a premise of a rule x : A => C(x) : Set we write simply C 
rather than (jc)C(jc) for the argument C. The same applies to similar expressions as 
well. 

Acknowledgements. We want to thank the anonymous referee for valuable com- 
ments on earlier version of this articles. We want to thank as well our PhD student 
Fredrik Nordvall Forsberg for diligent proof reading and valuable remarks. 



1.2 Initial Algebras denned by their Introduction Rules 

The set of lists in Martin-Lof Type Theory. In Martin-L6f type theory, types are 
usually introduced by their introduction rules. Let us consider the type of lists of 
natural numbers. It has formation rule 

Listpj : Set 

and introduction rules 
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nil : Listpj cons : N —> List^ — > Listpj 

The elimination rules express that List^ is the least set closed under these operations, 
as expressed by the principle of higher type primitive recursion over lists: 

x : Listpsj =>■ C(x) : Set 

Rec^:(step ml :C(nil)) 

->■ (step cons : (n : N, I : List N ) -> C(Z) -> C(cons n /)) 
— » (/ : Listpj) 

-+c(/) 

The equality rules, where we omit the obvious assumptions on types of the param- 
eters, are as follows: 

Rec^ lst step nil step cons nil = step nil 

Recjf 1 step nil step cons (cons n I) = step cons n I (Rec^ lst step nil step cons I) 

By the type theoretic rules for Listpj we mean the rules above. 
Meaning explanations were introduced by Per Martin-L6f [34, 35, 36, 37]. They 
are part of a program to develop a theory in such a way that we have a direct insight 
that everything proved in it is correct. By Godel's incompleteness theorem we know 
that there is no proof of the consistency of any reasonable mathematical theory by 
weaker methods. Therefore, there is no mathematical argument which guarantees 
that the mathematical theories used for proving theorems are actually consistent, 
and which wouldn't be prone to the danger of using an inconsistency of the theory 
in question. So any justification for the consistency of a reasonable mathematical 
theory needs ultimately be based on a philosophical argument. Such an argument 
can never be fully formal - otherwise we would obtain a mathematical proof of the 
consistency of the theory in question. What meaning explanations by Martin-L6f 
provide is the to the author's knowledge at this time best possible way of getting a 
direct insight into the validity of the judgements derivable in Martin-Lof type theory. 
They are a way of making as precise as possible the reasons why all judgements 
derivable in this theory are valid. 

In meaning explanations one gives a meaning to each judgement and investigates 
for each rule that we obtain valid judgements in the conclusion from valid judge- 
ments in the premise. The meaning of a set is given by explaining what the elements 
are and when two elements are equal. Two sets are equal if an element of one set is 
an element of the other, and if two elements are equal in one set they are so in the 
other. 

One should note that meaning explanations, as the author understand them, jus- 
tify extensional equality. For colists, as defined later, they will even justify bisim- 
ilarity as equality (which will be introduced below). We do not see any inherent 
problem in it. The reason for having intensional equality is that we want to decide 
for every proposition whether a term p is a proof of this proposition. Hence we need 
decidable type checking. 
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Meaning explanations for Listpj. In these explanations, elements are determined 
by their introduction rules. Listpj is a set. We have nil is a canonical element of Listpj, 
and for n a natural number, and / an element of Listpj we have that (cons n I) is a 
canonical element of Listpj. Non-canonical elements of Listpj are programs which 
evaluate to canonical elements of Listpj. The element nil is equal to itself. The ele- 
ments (cons n I) and (cons n',l') are equal, if n and n' are equal elements of N and 
I and /' are equal elements of Listpj. The elements nil and (cons n I) are not equal. 
Non-canonical elements are equal, if the results of evaluating them to canonical 
elements are equal. 

The elimination and equality rules are explained by showing how to compute 
from elements of Listpj elements of other sets. Their explanation uses that we have 
determined what the canonical elements of Listpj are, so it makes use of the intro- 
duction rules for Listpj. The explanation of Rec^ lst is as follows: Assume C(x) is a 
set, depending on an element x of Listpj. So for every element I of Listpj we have 
that C(Z) is a set. Assume step nil is an element of C(nil) and step cons is a function, 
which maps elements n of N, I of Listpj and p of C(Z) to elements of C(cons n I). 
Assume / is an element of Listpj. Then (Rec^ lst step nil step cons /) is a program which 
computes an element of C(l). This element is computed as follows: First / is com- 
puted which evaluates to a canonical element of Listpj. If this element is nil, then 
(Recjs lst step nil step cons /) evaluates to the result of computing step nil which is an 
element of C(nil) and therefore as well of C(l). Otherwise / evaluates to (cons n I 1 ), 
where n is an element of N and I' is an element of Listpj. Before we introduce I we 
have introduced /' and therefore c' := Recjs lst step nil step cons /' is an element of C(Z'). 
Now (Rec^ lst step nil step cons I) is evaluated by computing (step cons n I' c') which has 
as result an element of C(cons n V) and therefore of C(l). The equality rules follow 
since the left hand side is evaluated by evaluating the right hand side. 
Listpj as an initial algebra. Assume a category having finite products (including 
an initial object 1 which is the empty product), and a binary coproduct (A +B) for 
objects A,B. Assume as well a natural numbers object N (we will not need any 
specific properties about it). Elements a of objects A are arrows a:l->A, and we 
write a : A for such elements. Let Fjj s t be the functor with object part F]j st X = 
nil + cons(N,X). Here nil + cons(N,X) is a notation for 1 + (N x X), where we 
write nil := inl * for the element * : 1 (corresponding to id : 1 — > 1) and (cons n x) 
for the element (inr (n,x)) where n : N and x : X. The name nil signifies a nil- 
shape and cons a cons-shape. For / :A->£we obtain an obvious morphism part 
Fust / : Fjj s t A — > Fjjst B. An FL; st -algebra is a pair (A,f) where A is an object and 
/ : Fust A — > A. A morphism between Fjjst-algebras (A,f) and (B,g) is a function 
h : A — ^ B s.t. the following diagram commutes: 



List ' 



/ 



Fust h 



Fust B — B 
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An initial Fust-algebra (Listpj, intro) is an initial object in the category with objects 
Fust-algebras and morphism being FList-morphisms. So we have a morphism intro : 
FList(Listpj) — > Listpj, and if we have any other Fust-algebra (A,/), i.e. if we have 
/ : Fust A — > A, then there exists a unique g : Listpj — > A s.t. the following diagram 
commutes: 

intro 

F List (List N ) ► List N 



FList g 



^■8 



FustA A 

Consider now the specific category, in which objects are elements of Set (where def- 
initionally equal sets are identified) derivable in Martin-L6f type theory. Let mor- 
phism / : A — > B be functions of this type derivable in type theory. Let f,f':A—>B. 
Consider / equal to /' as morphisms in category theoretic diagrams, if and only if 
/,/' are equal extensionally, i.e. Va : A.f a ==g /' a, where ==b is the intensional 
equality type. Assume the type theoretic rules for Listpj. Let intro : FList(Listpj) — > 
Listpj, intro nil = nil and intro (cons n I) = cons n I. Then (Listpj, intro) is an ini- 
tial FList-algebra: It is obviously an FList-algebra. Furthermore, assume (A,/) is an- 
other Fust-algebra. Then we can define using the elimination rule for FList a function 
g : Listpj — > A such that g nil = / nil, g (cons nl)=f (cons n (g /)). It follows in type 
theory that g is the unique FList-algebra morphism g : (List^, intro) — > (A,f): That 
it is a FList-algebra morphism is obvious. Further, if there is any other FList-algebra 
morphism g' : (Listpj, intro) — > (A,/), one can show by induction on / : Listpj (which 
corresponds to the elimination rule for Listpj) V/ : Listpj.g(Z) ==List N g'Q)' so 8 and 
g' are equal morphisms. 

Therefore the rules of type theory for Listpj imply the principle that Listpj is an 
initial algebra. One can show as well that the principle of (Listpj, intro) being an 
initial algebra implies the type theoretic rules for Listpj. However, this direction 
requires extensional equality. This result is in fact a special case of [16]. The type 
theoretic rules for Listpj and the principle of (Listpj, intro) being an initial algebra 
are therefore extensionally equivalent, but are intensionally different (although we 
have no formal proof for this). In this sense we can regard the type theoretic rules 
without extensional equality as one possible representation of the rules of an initial 
algebra. 



1.3 Weakly Final Coalgebras 

Colist. We will introduce the type of colists, which are elements which can be un- 
folded to potentially infinite lists of natural numbers. Colists will be defined as 
weakly final coalgebras. Coalgebras are the dual of algebras, and are obtained by 
inverting the direction of the arrows in the category theoretic formulation of alge- 
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bras. An Fust-coalgebra is a pair (A,/) where f :A—> Fust A and as for algebras 
we sometimes omit / when it is obvious from the context. An Fust-coalgebra mor- 
phism between coalgebras (A,/) and (B,g) is a function /j : A — s> B s.t. the following 
diagram commutes: 

A F Llst A 



B 



List 



"List ' 



B 



A final FLi st -coalgebra (coList,case) is a terminal object in the category of F]j st - 
coalgebras. Therefore, it is an FList-coalgebra. Furthermore, for any other coalgebra 
(A,/), i.e. / : A — > Fust A there exists a unique coalgebra morphism g : (A,f) — > 
(coList, case), i.e. a unique g : A — >• coList s.t. the following diagram commutes: 



3<S 



F L istA 



FList g 



coList FList(coList) 

case 



Weakly final FList-coalgebras are weakly terminal objects in the category of Fusr 
coalgebras, which means that we omit the condition that g as above is unique. As- 
sume in the following (coList, case) is a weakly final FLi st -coalgebra. 

The function case : coList — > (nil + cons(N, coList)) determines for an element 
of coList whether it is of the form nil or (cons n I). Note that we can apply case to 
/ again. So an element of coList is an element which can, by iteratively applying 
case to it, be unfolded to a potentially infinite list. For instance an element a : coList 
s.t. case a = cons 0 a represents what would in a framework of infinite terms be the 
infinite list (cons 0 (cons 0 (cons 0 ■••))). 

Codata types and guarded recursion. In functional programming, codata types 
([49]) are often considered as variants of algebraic data types which allow the for- 
mation of infinitely many applications of constructors. For instance one could define 
the codata type of colists, which has constructors nil and cons. Then it is possible 
to have infinite nesting of cons and define a colist (cons 0 (cons 0 (cons 0 •••))) 
directly. One sees immediately that this destroys normalisation. We will see below 
that decidable type checking is not possible, if we assume that each element of a 
coalgebra is introduced by a constructor. Coalgebras are a version of codata types, 
where elements are not per se infinitary, but unfold to infinite objects. 
Relationship to guarded recursion. Guarded recursion was introduced by T. Co- 
quand in [10] in a setting of infinitary terms. Bertot and Casteran use in Chapter 13 
of the "Coq-book" [6] guarded recursion and codata types extensively for the devel- 
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opment of infinite objects and proofs for these objects. Guarded recursion allows to 
define elements of codata types recursively, by allowing full recursion, as long as 
recursive calls are guarded by at least one (possibly more) constructors of the co- 
data type in question, and no other functions are applied to the result of a recursive 
call. A simple form of guarded recursion is where we always have one recursive call 
guarded by exactly one constructor. 

We can see now that in the coalgebraic setting the existence of the Fust-coalgebra 
morphism g : A — > coList for any Fust-coalgebra (A,/) corresponds to this simple 
form of guarded recursion: We have 

/ \ f nil if f a = nil, 

case(ga) = ^ , / , 

[ cons n (g a ) if / a = cons n a . 

By choosing suitable / we can therefore define g : A — > coList by guarded recursion, 
s.t. for a : A we have case (g a) = nil or case (g a) = cons n (g a'). Which of the two 
cases holds and the choice of n and a' can be decided depending on a. Note that there 
are no conditions on a 1 to be smaller than a. This principle is the simple form of the 
principle of guarded recursion. The difference to the setting using codata types is 
that (g a) is not equal to nil or (cons n (g a')), but unfolds when applying case to it 
to an element having the shape nil or (cons n (g a')). 

An example of guarded recursion is that we can define a function g : N — » 
coList s.t. case (g n) = cons n (g (n + 1)). Then (g 0) represents the infinite list 
(cons 0 (cons 1 (cons 2 •••)))■ 

Extended guarded recursion. Let (nil' + cons r (N, A) +cons n (N, coList)) be the set 
having elements nil', (cons r n a) for n : N,a : A and (cons 11 n I) for n : N,l : coList. 
We are going to show that, if g : A — > (nil' + cons r (N,A) + cons n (N, coList)), then 
we can define a function / : A — >• coList s.t. 

nlF, 

cons r n a', 
cons" n I 

So (g a) decides whether (/ a) is of nil-shape (constructor nil'); of cons-shape with 
a recursive call to (g a') (therefore the name cons r ); or of non-recursive cons-shape 
(therefore the name cons 11 ). This principle adds to the principle of guarded recursion 
the possibility of defining (case (/ a)) by a non-recursive cons shape. 

We show the existence of / just given, provided that coList is a final coalgebra. 

Here (nil' + cons r (N,A) + cons" (N, coList)) will be a notation for the disjoint 
union (1 + ((N x A) + (N X coList))) where nil' := inl *, cons 1 ' n a := inr (inl (n,a)) 
and cons 11 n I : = inr (inr («,/)). 

Assume g as just given. Define A' : = A + coList, andg' : A' — > (nil + cons(N,A')), 



{nil if g a = 

cons n (g a') if g a = 
cons n I if g a = 
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nil if / a = nil' , 

g' (inl a) = ^ cons n (inl a') Ufa — cons r n a' 
cons « (inr / ) Ufa — cons 11 n / , 



g' (inr/) 



nil if case / = nil , 

cons n (inr /') if case / = cons n I' 



Let f':A'—t coList be the coalgebra morphism such that the following diagram 
commutes: 

A' — — F List A' 



/' 



Fust /' 



coList Fust (coList) 

case 

If coList is a final coalgebra, then one can see that (/' (inr I)) is equal to I. The 
reason for defining (/' (inr /)) was that it allows to replace the non-recursive call to 
I in f by a recursive call to (/' (inr /)). Let / := /' oinl : A — > coList. We obtain that 
/ indeed fulfils the desired equations. 

We call the principle that, for every g : A — > (nil' + cons r (N, A) + cons" (N, coList)) 
we can define / : A — > coList such that the equations for (case (/ a)) just given hold 
the principle of extended guarded recursion. Full details will be found in [45]. Note 
that we chose in the third case not to escape directly to an element / : coList, but 
only to an element I such that case / = cons n /' for given «,/'. The reason for this is 
that this allows to define cons as given before. 

Gimenez shows in [19] how to derive more general forms of guarded recursion 
for coalgebras. 

The coconstructors nil, cons. In case of final coalgebras it follows (e.g. [30], 
Lemma 2.3.3) that case : coList — > Fust(coList) is an isomorphism. Let case -1 be its 
inverse and define nil := case -1 nil, cons n I := case - (cons « /). Then we have that 
case nil = nil and case (cons n I) = cons n I. cons -1 is surjective, so every I : coList is 
equal to nil or (cons n I') for some n, I'. Especially, case / = nil if and only if I = nil, 
and case / = cons n /' if and only if / = cons n I'. By iterating it we obtain that if 
/ : coList, then for every k we have that / = cons n\ (cons n\ ■■■ (cons «, nil) • • • ) for 
some ; < k and «i, Nor I is equal to (cons n\ (cons n\ ■■■ (cons /')••• )) for 

some «i N and Z' : coList. Roughly speaking, an element of coList is a poten- 

tially infinite list of natural numbers. Furthermore, the principle of extended guarded 
recursion can be rewritten as follows: We can define g : A —> coList s.t. depending 
on a we can choose g a = nil, g a — cons n (g a')) for some n,a' or g a = cons n I 
for some «, /. 

Bisimilarity as equality. A weakly final Fjjst-coalgebra (coList, case) is final if and 
only if equality on coList is bisimilarity. Here bisimilarity on colists is the largest 
relation ~ s.t., if / ~ I', then (case I) = nil = (case /') or (case /) = (cons n Iq) 
and (case /') = (cons n 1' 0 ) for some Iq ~ 1' 0 . Bisimilarity can be introduced as an 
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indexed coalgebra (as will e.g. be shown in the current context in [45]). Bisimilarity 
is equality on final Fijst-coalgebras (see e.g. [30], Theorem 3.4. 1) and one can easily 
show as well that weakly final coalgebras are final coalgebras, if bisimilar elements 
are equal. Full details will be presented in [45]. 

Coconstructors in case of weakly final coalgebras. In case of weakly final coalge- 
bras we can define nil by case nil = nil. We can define (cons « /) s.t. case (cons nl) = 
cons n I' for some / which is bisimilar to This can be done by defining A = 
(N x coList) + coList, / : A — > (nil + cons(N,A)), / (inl (n,l)) — cons n (inr I), 
f (inr /) = nil if case / = nil, / (inr /) = cons n (inr /') if case / = cons n I'. Then 
one can easily see that / (inr /) ~ I, and define therefore cons nl = f (inl (n,l)). We 
obtain case (cons nl) = cons n I' for some /' ~ /. 

Combining the above we obtain a version of case -1 as well. The function case -1 
is not surjective. In case of cons, the equality holds only up to bisimilarity. If we 
add the principle of extended guarded recursion to weakly final coalgebras, we can 
define case -1 in such a way that the equality holds definitionally (however case" 1 
will not be surjective): Define case -1 : Fust (coList) — > coList, case (case -1 nil) = 
nil, case (case -1 (cons n I)) = cons n I. In order to allow this definition we defined 
the non-recursive case in case of extended guarded recursion the way we did it. 
Undecidability results. Bisimilarity on Fust-coalgebras is undecidable: Define 
toColist : (N -> N) -> N -> coList, case (toColist / n) = cons (/ n) (toColist / (n + 
1)). Therefore, in case of final coalgebras we have toColist fn = cons {fit) (cons (/ (n + 
1)) (cons (/ (n + 2)) •••))■ Now it follows immediately that f,g are extensionally 
equal if and only if (toColist / 0) ~ (toColist g 0). Since extensional equality on 
N — > N is undecidable, bisimilarity is undecidable as well. Therefore, if we want 
decidable definitional equality, we cannot define final coalgebras, only weakly final 
coalgebras. 

In [45] we will show that the assumption that case - is surjective results in an 
undecidable equality as well. So, if we want decidable equality on a weakly final 
coalgebra, we cannot assume that every element of it is of the form nil or (cons n I) 
for some n, I. This implies that pattern matching on coalgebras in the setting of de- 
cidable type checking is misleading, since it suggests that every element of a coalge- 
bra is introduced by a coconstructor, and therefore contains the hidden assumption 
that case -1 is surjective. 

Problem of Subject Reduction. The problems of pattern matching have been dis- 
cussed intensively on the Agda email list. Gimenez [18, Sect. 3.4] discovered that 
dependent case distinction results in a problem with subject reduction. Later Nico- 
las Oury found a very short program in a previous version of Agda, which exposes 
this problem, and which he orally communicated to N. Danielsson, who then posted 
it in [11]. Oury then converted it to Coq and posted it in [42]. A detailed analysis 
can be found in [38]. There were as well intensive discussions on the Agda and Coq 
club mailing lists, to which the author contributed. Some changes have been made 
to Agda which avoid this problem, see [4]. The author would prefer a more aesthet- 
ically clear solution, based on what is presented in his article. The goal would be to 
have a solution which presents algebras and coalgebras in a symmetric way. In Coq 
the problem of subject reduction seems to persist. 
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Type theoretic rules for weakly final coalgebras. Because of the undecidability of 
equality in final coalgebras, we can only introduce rules for weakly final coalgebras, 
if we want to preserve decidable type checking. For weakly final coalgebras we 
can still derive the principle of extended guarded recursion, but the equations we 
want to satisfy will only hold up to bisimilarity as equality. For initial algebras we 
observed that the fact that the type theoretic rules for Listjsj are extensionally equal 
but intensionally stronger than the rules for Listpj being an initial algebra. In the 
same way we are defining rules for coList which are up to bisimilarity equivalent 
but without bisimilarity as equality stronger than the rules for coList being a weakly 
final coalgebra. The principle of a weakly final coalgebra plus the principle that 
bisimilarity is equality is equivalent to the principle of a final coalgebra. If we take 
the rules for coiteration derived from the diagram, we get type theoretic rules which 
are up to bisimilarity equivalent to the rules of a weakly final coalgebra. If we extend 
the principle of guarded recursion to extended guarded recursion, we get a principle 
which is up to bisimilarity derivable, but without it stronger than the principle of 
simple guarded recursion. Therefore extended guarded recursion plus the principle 
of (coList, case) being a coalgebra is without bisimilarity as equality stronger, with 
it equivalent to that of a weakly final coalgebra. As in case of Listpj we use the rules 
of (coList, case) being a coalgebra augmented by the principle of extended guarded 
recursion as one possible type theoretic formulation of the rules for (coList, case) 
being a weakly final coalgebra. It is not the only possible one. In general one can 
think of adding rules which imply further definitional equalities, which are provable 
up to bisimilarity, as long as the rules behave well (we have decidable type checking, 
subject reduction and other good properties). One reason for including extended 
guarded recursion is that it allows us to define the coconstructor cons by defining 
cons « / : coList, s.t. case (cons n I) = cons n I). 

For completeness, we introduce rules for dealing with (nil + cons (X,Y)) and 
(nil' + cons r (X,y) + cons n (Z,Z')). (Note that if as above we treat these definitions 
as abbreviations, these rules can be derived from the rules for 1, + and x). We bor- 
row notations for case distinction from [9]: 

Assume in the following rules X,Y,Z,Z' : Set. 

Formation rule: (nil' + cons r (X,F) + cons n (Z,Z')) : Set . 

Introduction rules: nil' : (nil' + cons r (X,F) + cons n (Z,Z')) , 

cons 7 : X -» Y ->• (nil 7 + cons f (X,F) + cons" (Z,Z')) , 
cons" : Z^Z' ->• (nlF + cons^F) + cons" (Z,Z')) . 
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x : (mF + co^(X,Y) + cons lr (Z,Z')) =>■ C(x) : Set 
ste^r:C(nil') 



Elimination rule: x:X,y:Y^ ste Ps5i r(x,y) : C(cons^ y) 

z:Z,z' : Z' ste P3 ^(z,z') : C(cons n z z') 



nil' n- step^p- 

cons r xy ^ step 555i r(x,y) ^ : (jc : (nil' + cons r (X, Y) + cons n (Z,Z'))) ->• C(x) 
cons" zz' n- step^ir(z,z') 



Equality rules: {•••}nil / = stepj^p- 

{• • • } ( cons r x y) = ste PE55i r(jc,y) 
{■■■} (cons" z z') = ste Ps5 ^(z,z') 

where { • • • } is the expression introduced in the elimination rule 
Now we can define the rules for colist: 
Formation rule: coList : Set 

Elimination rule: case : coList — > (nil + cons(N, coList) ) 



Introduction rule: 



A : Set 



intro A : (A (nil' + cons r (N,A) + cons" (N, coList)) 
— > A — >• coList 



nil' M> nil 

Equality rule: case (intro^ / a) = ^ cons 1 ' n a 1 n> cons n (intro^ / a') } (fa) 

cons" n I n> cons n I 

Note that the introduction rule is complex because a generic form of guarded recur- 
sion in the same way that the elimination rule for algebraic data types is complicated, 
because it is generic. Specific instances can be described more easily. For instance 
we can define 

toColist : (N -> N) -> N -> coList 

case (toColist / n) = cons (/ n) (toColist / (n + 1)) 

The coconstructors nil and cons can be defined by 

nil : coList cons : N — > coList — > coList 

case nil = nil case (cons nl) = cons n I 

We observe that the elimination rules are simple whereas the introduction rules 
seem to be complicated and refer to all sets. This is dual to the setting for initial 
algebras where the introduction rules are simple and the elimination rules refer to all 
sets. So a weakly final coalgebra is given by its elimination rules, which essentially 
expresses: elements of coList are programs, to which we can apply case and obtain 
nil or (cons n I) for some other colist /. 
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Problems with dependent case distinction. McBride [38] discussed dependent 
case distinction, as it occurs in the PhD thesis by Gimenez [18] and is implemented 
in Coq. In our notation it reads 



There is an equality rule missing, namely for an element introduced by intro. Such 
a rule should be (the case for cons" was added by the author to stay in accordance 
with the rest of the current article): 



McBride states that this is the source of the problem discovered/communicated by 
Gimenez/Oury/Danielsson [18, 42, 1 1]. As McBride observes, it does not even type 
check: in case of / a = nil', the two sides of the equations have types B(introA / a) 
and B(nil), but intro^ / a ^ nil. 

As observed by McBride dependent case distinction results, if we omit the 
last rule, in non-canonical terms for the intensional equality type. In fact the sit- 
uation is even worse: We get non-canonical elements of N in normal form: Let 
/ = depcase^pj 0 ((n,Z)0) : coList — > N. Let zeroStream = introi ((x)(cons r 0 *)) * : 
coList. We have that (/ zeroStream) is a non-canonical closed element of N in nor- 
mal form. The reason is of course that we do not have an equality rule for depcase 
applied to an element introduced by intro. 

The underlying problem is that dependent case distinction expresses that every 
element of coList is of the form nil or (cons n I), i.e. that case - 1 is surjective. In order 
to repair this problem, McBride suggests to switch to observational type theory. This 
means essentially to define for all types a propositional equality together with some 
additional axioms. In case of coList, this equality would be bisimilarity. Since, if we 
add to weakly final coalgebras bisimilarity as equality, we obtain final coalgebras, 
the problem vanishes. However, it does not solve the problem, what the correct rules 
regarding definitional equalities in intensional type theory are. 



x : coList =>■ B(x) : Set 



depcase B : (step nil : B(nil)) 



-¥ (step cons : (« : N,l : coListpj) -¥ B(cons n I)) 

— > (I : coList) 

->B(l) 



depcase B step nil step cons nil = step nil 

depcase g step ni [ step cons (cons nl) = step cons n I 
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1.4 Meaning explanations for coalgebraic types as determined by 
their elimination rules. 

We give now meaning explanations for coList based on the principle that elements 
of coalgebras are determined by their elimination rules. coList is a set. Elements of 
coList are programs /, which, if we apply case to them, evaluate to nil or (cons n I') 
for some n in N, and some other element I' of coList. Note that we do not demand 
that /' is defined before /. Several elements of coList might be introduced simultane- 
ously. Two elements 1,1' of coList are equal if after applying case to it, both evaluate 
to nil or they evaluate to (cons n Iq) and (cons n' 1' 0 ) where n,n' are equal elements of 
N and Iq,1' q are equal elements of coList. Again we do not demand that the equality 
of Iq,1' q is established before the equality of 1,1' is established. 
Assume A is a set and / a function mapping an element of A to an element of 
(nil' + cons r (N,A) + cons n (N, coList)). Then for every a : A, (intro^ / a) is an 
element of coList. For this we determine (case (intro^ fa)): Compute (/ a). If 
(/ a) evaluates to nil' then (case (intro^t / a)) evaluates to nil. If (/ a) evaluates 
to (cons 1 ' n a'), then (case (intro^ / a)) evaluates to (cons n (intro^ / a')). If (/ a) 
evaluates to (cons 11 n I), then (case (intro^ fa)) evaluates to (cons n I). 
Assume A, A' are equal sets, /, /' map elements of A to equal elements of 
(nil' + cons r (N,A) + cons" (N, coList)). For all a, a' equal elements of A we have 
that (intro^ / a) and (intro^ /' a') are equal elements of coList: Assume a and a' 
are equal elements of A. 

Assume (/ a) evaluates to nil'. Then, since / is equal to /' and a is equal to a', 
f a' evaluates to nil' as well. Then (case (intro^ fa)) and (case (intro A / /' a')) both 
evaluate to the same element nil. 

Assume (/ a) evaluates to (cons r n ag). Then (/' a') evaluates to (cons 1 ' n' a' 0 ) 
for some n' equal to n and a' Q equal to oq. Then (case (intro^ / a)) evaluates to 
(cons n (introA / ao)) and (case (intro^ /' a')) evaluates to (cons n' (intro A / /' a' 0 )). 
n and n' are equal elements of N, and (intro^ / ao) and (intro^/ /' a' 0 ) are equal 
elements of coList. Therefore (case (intro^ / a)) and (case (intro^/ /' a')) evaluate 
to equal elements. 

Assume (/ a) evaluates to (cons 1 ' n I). Then {f a') evaluates to (cons 1 ' «' /') for 
some « equal to n' and / equal to /'. Therefore (case /) and (case /') and therefore as 
well (case (intro^ fa) and (case (intro A / /' a') evaluate to equal elements. Therefore 
(intro^ / a) and (intro^; /' a') are equal. 

Function sets as determined by their elimination rules. We can see now that the 
elements of the function type of the logical framework are as well introduced by 
their elimination rules: Assume A is a set and B(x) is a set depending on elements 
x of A. Then (x : A) — > B(x) is a set. An element of (x : A) — > B(x) is a program 
t which, when applied to an element a of A evaluates to an element of B(a). Two 
elements t, t' of (x : A) — » B(x) are equal, if, when applied to an element a of A, they 
evaluate to equal elements of B{a). Assume that for every x of A we have that t is an 
element of B(x). Then (x)t is the following element of (x : A) — > B(x): If applied to 
a: Ait first substitutes in t the variable x by a. Let the result be s. Then s is evaluated, 
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which is the result returned. Since for x of A, t is an element of B(x), s is an element 
of B{a). So (x)t is an element of (x : A) — > B. Assume that t,t' are equal elements of 
B(x), depending on x of type A. Then if (x)t and (x)f' are applied to an element a of 
type A, we obtain s, s 1 which are equal elements of B(a), So (x)t and {x)t' are equal 
elements of (x : A) — > B(x). 

More advanced examples of coalgebras. coList is only the simplest example of a 
coalgebra. More advanced examples are the definition of bisimilarity on colists or 
on other transition systems. In [22, 23, 24, 25, 26] we discussed how to define state- 
dependent interactive programs in Martin-L6f type theory, and in [25] we showed 
how to define them as an indexed coalgebra. More examples can be found for in- 
stance in Chapter 1 3 of [6] . 



1.5 Conclusion 

We have seen that coalgebras can be introduced in Martin-L6f type theory using 
formation, elimination, introduction and equality rules. Meaning explanations can 
be given by defining as elements of coalgebras those which allow elimination rules. 
One can then explain that the introduction rules indeed introduce elements of the 
coalgebra. So elements of coalgebras are given by their elimination rules, the intro- 
duction rules can be considered as being derived. This is similar to algebraic data 
types, for which the elements are given by their introduction rules, and the elimina- 
tion rules are derived. We have seen as well that the elements of the function types 
from the logical framework are as well determined by their elimination rules. One 
can as well develop models of coalgebras, in which coalgebras are interpreted as the 
set of those terms which allow to apply the elimination principle. 
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